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DETAILED ACTION 

1. This Office action is responsive to the following communication: Request for Continued 
Examination filed on 30 April 2009. 

2. Claims 1, 3-9, 11-16, 18-21 and 24-28 are pending and present for examination. 

Continued Examination Under 37 CFR 1.114 

3. A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 
1.17(e), was filed in this application after final rejection. Since this application is eligible for continued 
examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the 
finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's 
submission filed on 3 April 2009 has been entered. 

Response to Amendment 

4. Claims 1, 9, and 16 have been amended. 

5. Claims 2, 10, and 17 have been cancelled. 

6. No claims have been newly added. 

Claim Rejections - 35 USC§ 103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art 
are such that the subject matter as a whole would have been obvious at the time the invention was made to a 
person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be 
negatived by the manner in which the invention was made. 

8. Claims 1, 3, 6, 8-9, 11, 14, 16, 18, 21, and 24-28 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Pisello et al (U.S. Patent No. 5,495,607, hereinafter referred to PISELLO), filed 
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on November 15, 1993, and issued on February 27, 1996, in view of Stupel<, Jr. et a! (U.S. Patent No. 
5,586,304, hereinafter referred to as STUPEK), filed on 8 September 1994, and issued on 17 December 
1996, and in further view of Miyata et al (USPGPUB No. 2004/0117401, hereinafter referred to as 
MIYATA), filed on 21 April 2003, and published on 17 June 2004. 

9. As per independent claim 1, 9 and 16, PISELLO, in combination with STUPEK, MIYATA, and 
BUCHER, discloses: 

A computer implemented method for gleaning file attributes independently of file format, 
the method comprising the steps of: 

a non-application-specific file attribute manager receiving a plurality of files in a 
plurality of formats {See PISELLO, coI. 13, lines 14-19, wherein this reads over "a domain-wide 
status-monitor . . . periodically scan[s]"}; 

the file attribute manager scanning the plurality of received files in the plurality of 
formats {See PISELLO, col. 13, lines 14-19, wherein this reads over "a domain-wide status-monitor 

. . . periodically scan[s]"}; 

the file attribute manager gleaning file attributes of a plurality of typ es from each of 
the plurality of scanned files in the plurality of formats {See pisello, coi. i3, lines 48- 
51, wherein this reads over "to collect the file Identifying information stored at a given scan time"; 
and col. 15, lines 36-51, wherein this reads over, searchable database fields preferably include: . . . 

FiieName:PathName"> f wherein the plurality of gleaned attribute types differ for 
protocols used to receive the pluralitv of scanned files and each of the pluralitv 
of scanned files are received according to one of the protocols {See buchei^, [oioo], 
wherein this reads over "one or more of the content events 500 specified or otherwise associated 
with one or more rules 300 may, similar to the metadata contained in the metadata profile 404, 
further include, or otherwise have associated therewith, further specific information concerning a 
particular content event"; and [0111], wherein this reads over "In the case where the rules 300 are 
included as part of the metadata profiles 404, identification of the content implicated by a detected 
content even can be made by searching all of the metadata profiles and identifying those profiles, 
and corresponding content, that reference the detected content event"}; 



the file attribute manager storing the file attributes gleaned from each of the plurality 
of scanned files as a plurality of records in a database {See pisello, coi. i3, lines 5i- 
56, wherein this reads over "to integrate the collected information into the domain-wide virtual 
catalog"}; 

the file attribute manager indexing specific file attributes gleaned from specific files 
according to contents of the specific files, the specific file attributes being stored 
as ones of the plurality of records in the database {See pisello, coi. 14, lines i6-i9, 
wherein this reads over "Table 2 which shows an example of what might be displayed . . . [from] the 
domain administrating data/rule base"}; 

examining one of the plurality of files {See pisello, coI. 13, lines 14-19, wherein this reads over 
"a domain-wide status-monitor . . . periodically scan[s]"; and col. 13, lines 48-51, wherein this reads 
over "to collect the file identifying information stored at a given scan time"; and col. 15, lines 36-51, 
wherein this reads over, searchable database fields preferably include: . . . FileName; PathName"}; 
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retrieving from tine plurality of records in the database at least one record associated 
with the examined one of the plurality of files {See stupek, C3:L64-67, wherein this 

reads over "the upgrade advisor retrieves information about the I^IB 5 from a server database 13 
located in the server manager"; and C4:L2-26, wherein this reads over "the upgrade database may 
also contain information about a resource (e.g., a driver) which is not recognized by the server 
manager. In this situation, the upgrade advisor places information about the resource (e.g., name, 
version number) into a driver table 32 in the MIB 5. An agent 21 of the server manager located in the 
server uses this information to search for the resource (I.e., to see If the resource has been Installed 
on the network). If so, the server manager creates entries for the resource In the server database"}; 

retrieving from the plurality of records in the database a second record associated 

with a malicious file {See |v|IYATA, [0032], wherein this reads over "reads on virus pattern from 
virus database 1621" and "checl<s whether or not F is infected wit ha virus corresponding to P"}; 

analyzing the gleaned attributes gleaned from examined one of the plurality of files, 
the gleaned file attributes having been retrieved from the first record; {See 
STUPEK, C4:L5-13, wherein this reads over "the upgrade advisor 11 retrieves Information about the 
MIB 5 from a server database 13 located In the server manager. The server database 13 tells the 
upgrade advisor 11 the location of each piece of Information contained In the MIB. The upgrade 
advisor 11 supplies the location Information to a data retriever 15, which uses It to retrieve from the 
MIB 5 data (MIB data) about the network resources 3. The upgrade advisor 11 then retrieves 
upgrade Information from the upgrade database 9 and performs two types of comparisons; a) 
whether or not a particular upgrade package corresponds to a resource on the server, and b) 
whether or not the version number of the upgrade package matches the version number of the 
corresponding network resource (I.e, whether or not the upgrade package represents a true upgrade 
for the existing network resource)"}; and 

analyzing one or more attributes of the malicious file, the one or more attributes of 
the malicious file having been gleaned from the second record {See iviiyata, [0019], 
wherein this reads over "virus scanner 1532, which compares a suspected file with associated 
patterns contained in virus database 1621"}; and 

determining whether a status of the examined one of the plurality of files is malicious 

{See I^IYATA, [0019], wherein this reads over "virus scanner 1532, which compares a suspected file 
with associated patterns contained in virus database 1621"}, responsive to analyzing the 
gleaned file attributes {See stupek, CI3-20, wherein this reads over "If the upgrade applies to 
a resource on the server and If the upgraded and current versions of the network resource do not 
match, the upgrade advisor 11 uses additional Information from the upgrade database 9 to analyze 
the level of severity of the upgrade. I.e., to determine the Importance of the upgrade to the efficient 
operation of the server."} and the one or more attributes of the malicious file {See 
MIYATA, [0019], wherein this reads over "virus scanner 1532, which compares a suspected file with 
associated patterns contained In virus database 1621"}. 

While PISELLO fails to expressly disclose the method step of analyzing gleaned attributes and 

thereafter determining a status, the prior art of STUPEK discloses a method wherein information is 

retrieved from a database, and said information is summarily compared with upgrade information to 

determine whether an upgrade is necessary. That is the prior art of STUPEK discloses a method wherein 

file attributes such as the name, version number, and a timestamp, which have been gleaned from a file, 



are compared and verified. The combination of inventions disclosed In PISELLO and STUPEK would 



Application/Control Number: 10/645,989 Page 5 

Art Unit: 2169 

disclose a method comprising of examining a file, analyzing the gleaned attributes concerning the file 
with records retrieved from the database (e.g. upgrade information), and determining the status of the 
file (i.e. whether or not the versions match). Therefore, it would have been obvious to one of ordinary 
skill in the art at the time the invention was made to modify the above invention suggested by PISELLO 
by combining it with the invention disclosed by STUPEK. 

One of ordinary skill in the art would have been motivated to do this modification so malicious or 
illegitimate files are blocked from entering the computer, from executing, and from performing certain 
functions while executing. 

Additionally, while the combination of PISELLO and STUPEK may fail to expressly disclose the 
method step of determining whether a file is malicious, the prior art of MIYATA discloses an invention 
wherein a virus pattern is retrieved from a virus database and used to determine by comparison whether 
a file is malicious. The combination of invention disclosed in PISELL, STUPEK, and MIYATA would 
disclose a method wherein the data pattern (i.e. the attribute) is gleaned from the files such that the 
virus pattern is used to verify whether the file is malicious or not. Therefore, it would have been obvious 
to one of ordinary skill in the art at the time the invention was made to modify the above invention 
suggested by the combination of PISELLO and STUPEK by combining it with the invention as disclosed by 
MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification so that gleaned 
attributes may be used to verify the authenticity of a file. 

Lastly, while the combination of PISELLO, STUPEK, and MIYATA may fail to expressly disclose the 
method step of gleaning file attributes "wherein the plurality of gleaned attribute types differ for 
protocols used to receive the plurality of scanned files and each of the plurality of scanned files are 
received according to one of the protocols," the prior art of BUCHER discloses an invention wherein a 
particular content event would initiate the retrieval of specific information according to the metadata 
contained in a metadata profile. That is, wherein a file received via a network protocol such as a LAN, 
the content management system may retrieve the identity of the network appliance, while wherein a file 



Application/Control Number: 10/645,989 Page 6 

Art Unit: 2169 

received via an email protocol may initiate the content management system to retrieve the email address 
of the sender. See BUCHER, [0123-0129]. Therefore, it would have been obvious to one of ordinary skill 
in the art at the time the invention was made to modify the above invention suggested by the 
combination of PISELLO, STUPEK, and MIYATA by combining it with the invention as disclosed by 
BUCHER. 

One of ordinary skill in the art would have been motivated to do this modification so that certain 
content events may be customized to only require the retrieval of specific information according to a 
metadata profile. 

10. As per dependent claim 3, 11, IS, PISELLO, in combination with STUPEK, MIYATA, and 

BUCHER, discloses: 

A method wherein specific types of file attributes are gleaned from a specific file 
as a function of a format of the file {See PISELLO, col. 15, lines 46-51, wherein this reads over 
"Novell-defined attributes"}. 

11. As per dependent claims 6, 14, 21, PISELLO, in combination with STUPEK, MIYATA, 

and BUCHER, discloses: 

A method further comprising the file attribute manager receiving a plurality of 
copies of a selected file of the plurality of files, and the file attribute manager storing 
each of the plurality of copies as a separate record in the plurality of records, each 
separate record indexed according to the contents of the selected file of the plurality of 
files, such that the each separate record can be accessed by the single index {See pisello, 

Table 2; and col. 14, lines 62-64, wherein this reads over "the same file name may appear multiple times in the 
listing of Table 2, even with identical path names (e.g., 'Dave. doc')"}. 

12. As per dependent claim 8, PISELLO, in combination with STUPEK, MIYATA, and BUCHER, 



The method wherein the non-application-specific file attribute manager is 
incorporated into one selected from the group consisting of: 

A firewall; 

An intrusion detection system; 

An intrusion detection system application proxy; 

A router; 

A switch; 

A standalone proxy; 

A server; {See pisello, coI. is, lines 14-15, wherein this reads over "domain-wide status-monitor 
and control program is installed in the domain administrating server"}. 
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A gateway 

An anti-virus detection system; and 
A client. 

Additionally, the claim limitation optionally recites a method wherein the attribute 
manager is incorporated into an selected entity, for the purposes of this examination, a server 
will be considered the selected entity and the remainder entities will not be provided further 
consideration nor will prior art be applied in said consideration. 

13. As per dependent claim 24, PISELLO, in combination with STUPEK, MIYATA, and BUCHER, 
discloses a method of blocking a file upon the determination that the received file is malicious {See stupek, 

C8:L30-48}. 

While PISELLO fails to expressly disclose a method wherein a file is blocked upon a maliciousness 
determination, STUPEK discloses a method wherein if an upgrade is not applicative, the upgrade is not 
included within the upgrade package. The combination of inventions disclosed in PISELLO and STUPEK 
would disclose a method comprising of blocking the file upon the determination that the received file is 
malicious (i.e. the package object retrieves comparison results and combined them to determine package 
status (i.e., whether or not the package applies to the server, and whether the package needs to be 
upgraded on the server). Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modif/ the above invention suggested by PISELLO by combining it with 
the invention disclosed by STUPEK and MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification such that files 
which are not legitimate are blocked from entering the server, from executing, and from performing 
certain functions while executing. 

14. As per dependent claim 25, PISELLO, in combination with STUPEK, MIYATA, and BUCHER, 
discloses a method of not blocking the file upon the determination that the received file is legitimate {See 

STUPEK, C8:L30-48}. 

While PISELLO fails to expressly disclose a method wherein a file is blocked upon a maliciousness 
determination, STUPEK discloses a method wherein if an upgrade is applicative, the upgrade is included 
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within tlie upgrade pacl<age. Tlie combination of inventions disclosed in PISELLO and STUPEK would 
disclose a method comprising of allowing the file upon the determination that the received file is 
legitimate (i.e. the package object retrieves comparison results and combined them to determine package 
status (i.e., whether or not the package applies to the server, and whether the package needs to be 
upgraded on the server). Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to modify the above invention suggested by PISELLO by combining it with 
the invention disclosed by STUPEK and MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification such that files 
which are not legitimate are allowed to enter the server, execute, and perform certain functions while 
executing. 

15. As per dependent claim 26, PISELLO, in combination with STUPEK, MIYATA, and BUCHER, 

discloses a method for applying a rule specif/ing how to use gleaned file attributes to process the file {See 
STUPEK, C13-20, wherein this reads over "If the upgrade applies to a resource on the server and if the upgraded and current 
versions of the networl< resource do not match, the upgrade advisor 11 uses additional information from the upgrade database 9 to 
analyze the level of severity of the upgrade, i.e., to determine the importance of the upgrade to the efficient operation of the 
server."}. 

The combination of inventions disclosed in PISELLO and STUPEK would disclose a method 
comprising for applying a rule specifying how to use gleaned file attributes to process a file. Therefore, it 
would have been obvious to one of ordinary skill in the art at the time the invention was made to modify 
the above invention suggested by PISELLO by combining it with the invention disclosed by STUPEK and 
MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification in order to 
determine the legitimacy of a file by analyzing and processing the gleaned attributes according to a set 
rule. 

16. As per dependent claim 27, PISELLO, in combination with STUPEK, MIYATA, and BUCHER, 
discloses a method for determining a rule to apply specifying how to use gleaned file attributes to process 
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the file {See STUPEK, C13-20, wherein this reads over "If the upgrade applies to a resource on the server and if the upgraded 
and current versions of the networl< resource do not match, the upgrade advisor 11 uses additional information from the upgrade 
database 9 to analyze the level of severity of the upgrade, i.e., to determine the importance of the upgrade to the efficient 
operation of the server."}. 

While PISELLO fails to expressly disclose a method for determining a rule to apply specifying how 
to use gleaned file attributes to process the file, the prior art of STUPEK discloses a method wherein the 
upgrade manager performs comparisons on the attributes of the file, specifically the version number. The 
combination of inventions disclosed in PISELLO and STUPEK would disclose a method comprising of 
determining at least one of a plurality of rules to apply to a file. Therefore, it would have been obvious 
to one of ordinary skill in the art at the time the invention was made to modify the above invention 
suggested by PISELLO by combining it with the invention disclosed by STUPEK and MIYATA. 

One of ordinary skill in the art would have been motivated to do this modification so that 
upon the failure or passage of a file in a rule, further gleaned attributes may be checked to 
determine the legitimacy of a file. 

17. As per dependent claim 8, PISELLO, in combination with STUPEK, MIYATA, and BUCHER, 
discloses: 

The method of claim 1, wherein the plurality of files are received from a network 
connection {See STUPEK, Figures 1, 2, 6, and 11}. 

18. Claims 4, 12, and 19 are rejected under 35 U.S.C. 103(a) as being unpatentable over PISELLO, 
in view of STUPEK, MIYATA, and BUCHER, and in further view of Fischer (U.S. Patent No. 5,694, 569, 
hereinafter referred to as FISCHER), filed on June 5, 1995, and issued on December 2, 1997. 

The combination of PISELLO, STUPEK, MIYATA, and BUCHER discloses the limitations of claims 
1-3, 6, 8-11, 14, 16-18, and 21 for the reasons stated above. 

The combination of PISELLO, STUPEK, MIYATA, and BUCHER differs from the claimed invention 
in that they fail to disclose a method further comprising the file attribute manager indexing attributes 
being stored by using a secure hash of the contents of that file (claims 4, 12, and 19). 
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19. As per dependent claim 4, 12, and 19, PISELLO, in combination with STUPEK, MIYATA, 
BUCHER, and FISCHER, discloses a method further comprising the file attribute manager indexing 

attributes being stored as a record in the database concerning a specific file according to a secure hash 
of the contents of that file {See FISCHER, coI. l, lines 40-50, wherein tilis reads over ""file integrity may be protected by 
tal<ing a one-way liash over tlie contents of the file. By implementing and checking a currently computed hash value, with a 
previously stored hash value"}. 

The combination of inventions disclosed in PISELLO, STUPEK, MIYATA, BUCHER, and FISCHER 
would disclose a method wherein the file attribute manager would index attributes in a database 
according to a secure hash, by using a secure hash algorithm (SHA), of the contents of that file. 
Therefore, it would have been obvious to one of ordinary skill in the art at the time the invention was 
made to modify the above invention suggested by PISELLO by combining it with the invention disclosed 
by STUPEK, MIYATA, BUCHER, and FISCHER. 

One of ordinary skill in the art would have been motivated to do this modification so that the 
records may be indexed securely and subsequently retrieved by a blocking system. 

20. Claims 5, 13, and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over PISELLO, 
in view STUPEK, MIYATA, and BUCHER, and in further view of Baker (USPGPUB No. 2003/0233352, 
hereinafter referred to as BAKER), filed on March 19, 2003, claiming priority to March 21, 2002, and 
published on December 18, 2003. 

The combination of PISELLO, STUPEK, MIYATA, and BUCHER discloses the limitations of claims 1, 
3, 6, 8-9, 11, 14, 16, 18, 21, and 24-28 for the reasons stated above. 

The combination of PISELLO, STUPEK, MIYATA, and BUCHER differ from the claimed invention in 
that they fail to disclose a method further comprising the file attribute manager indexing attributes 
according to a cyclical redundancy check of the contents of that file (claims 5, 13, and 20). 

21. As per dependent claims 5, 13, and 20, PISELLO, in combination with STUPEK, MIYATA, 
BUCHER, and BAKER, discloses a method further comprising the file attribute manager indexing attributes 
being stored as a record in the database concerning a specific file according to a cyclical redundancy 
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check of the contents of that file {See baker, Para. 0008, wherein this reads over"[t]he controller may be further 
programmed ... to determine a cyclical redundancy check of the file"}. 

While PISELLO fails to expressly disclose a method of utilizing a CRC on the contents of a file, 
BAKER discloses a means for applying a CRC on the file for validation purposes. The combination of 
inventions disclosed in PISELLO, STUPEK, MIYATA, BUCHER, and BAKER would disclose a method 
wherein the file attribute manager would index attributes in a database according to a cyclical 
redundancy check of the contents of that file. Therefore, it would have been obvious to one of ordinary 
skill in the art at the time the invention was made to modify the above invention suggested by PISELLO 
by combining it with the invention disclosed by STUPEK, MIYATA, BUCHER, and BAKER. 

One of ordinary skill in the art would have been motivated to do this modification so that the 
records may be indexed securely and subsequently retrieved by a blocking system. 

22. Claims 7, 15, and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable over PISELLO, 
in view of STUPEK, MIYATA, and BUCHER, and in further view of Chino et al (USPGPUB 2002/0046207), 
filed on June 25, 2001, and published on April 18, 2002. 

The combination of PISELLO, STUPEK, MIYATA, and BUCHER discloses the limitations of claims 1, 
3, 6, 8-9, 11, 14, 16, 18, 21, and 24-28 for the reasons stated above. 

The combination of PISELLO, STUPEK, MIYATA, and BUCHER differs from the claimed invention 
in that they fail to disclose a method which deletes records from the database after the records have 
been stored for a specific period of time (claims 7, 15, and 22). 

23. As per dependent claims 7, 15, and 22, PISELLO, in combination with STUPEK, MIYATA, 
BUCHER, and CHINO, discloses a method further comprising of deleting records from the database after 
the records have been stored for a specific period of time {See chino. Para. 0060, wherein this reads over "location 
information collector determines whether a predetermined time , e.g. two hours, has passed wince the record of the current 
location registered in the respective tables of the location information storage was collected, and sequentially deletes those records 
with a predetermined time elapsed"}. 
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While PISELLO fails to expressly disclose a method of purging files, CHINO discloses a method of 
purging records when a predetermined time has elapsed. The combination of inventions disclosed in 
PISELLO, STUPEK, MIYATA, BUCHER, and CHINO would disclose a method comprising of deleting records 
with a predetermined time elapsed. Therefore, it would have been obvious to one of ordinary skill in the 
art at the time the invention was made to modify the above invention suggested by PISELLO by 
combining it with the invention disclosed by STUPEK, MIYATA, BUCHER, and CHINO. 

One of ordinary skill in the art would have been motivated to do this modification so that 
the database is kept current and free of obsolete records. 

Response to Arguments 

24. Applicant's arguments with respect to claim rejections under 35 U.S.C. 103 have been considered 
but are moot in view of the new ground(s) of rejection. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to PAUL KIM whose telephone number is (571)272-2737. The examiner can normally be 
reached on M-F, 9am - 5pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Tony Mahmoudi can be reached on (571) 272-4078. The fax phone number for the organization where 
this application or proceeding is assigned is 571-273-8300. 
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